When SharePoint 2010 was introduced, one of the major changes that it brought with it was a completely new infrastructure for working with user profiles. This infrastructure was based on the Forefront Identity Manager, and represented a fairly bold leap. With it, the integration possibilities were greatly increased, and it allowed for not only read, but write synchronization on a field by field basis (either read or write… not both!).
The problem was that it was unwieldy. Being from an agricultural background, I liken it to a combine. Useful, a lot of moving parts, and it breaks down easily. Couple this with the fact that with the initial release of SharePoint 2010, it wasn’t fully baked, and you have the recipe for what became the top support issue for SharePoint 2010 up until this point. Subsequent Service Packs and Hot Fixes have greatly improved the system (my gold standard is currently Service Pack 1 with the December 2011 Cumulative Updates), but the system does remain complex, and is arguably overkill where a simple Active Directory import is all that is required.
I put out a guide intended to simplify the steps, but the real comprehensive guide is by Spencer Harbar – I strongly recommend a read.
Well, everything old is new again. With SharePoint 2013, the product team heard these messages and brought back the simpler profile import that was in SharePoint 2007 as an option. It’s not available by default, and I don’t necessarily recommend using it (as always, it depends) but if your requirements are a simple import, then it may be for you. Here’s how to get it working.
To start with, do NOT start the User Profile Synchronization Service. This is the FIM based system, and is NOT required for the simple import to work.
Navigate to the User Profile Service Application (from Central Administration, Select Application Management, Manage Service Applications, and then your Profile Service Application). Then, select Configure Synchronization Settings from the Synchronization Section.
Then, instead of “Use SharePoint Profile Synchronization”, select “Use SharePoint Active Directory Import”, and click OK.
Once that is complete, you need to set up an import. To do that, select the “Configure Synchronization Connections” link from the Service Application page.
Then, click “Create New Connection”, and fill out the connection form accordingly.
One thing to note, and a deviation from the original SharePoint 2007 import mechanism is that the account used above MUST have the “Replicating Directory Changes” permission in Active Directory for the import to work. This is the same requirement as the 2010 synchronization, and the full synchronization service with SharePoint 2013.
Navigate back to the Profile Service Application page, and select “Start Profile Synchronization”.
Finally, Select the full synchronization option, and click OK.
After a relatively short period of time, your user profiles should be available.
Again, I don’t necessarily recommend the simpler option if your only problem is complexity, but I do think that is was wise of the product team to add this back in. If your requirements are truly import only, and you don’t have multiple identity systems, this is a quick way to get up and running. It’s also great for testing and demo environments.
Hi, i also have the 2013 version running, but when i go to my site it says: Your My Site experience is on its way!
We’re in the middle of getting your brand new My Site experience set up.
It may take a little while, but in the meantime you can edit your profile or change your photo.
Check to see whether things are up-and-running.
Is it the same for you? What im missing, all services are running, import from AD work….
Hi Jonathon – just give it a bit. It’s provisioning your MySite. I imagine it’s there by now.
so this is just a temp message and it will show my sites and micro blogging in some time ?
@Akhilesh – Yes, that’s certainly been my experience
[…] Profile Import in SharePoint 2013 – Back to the Future […]
Hi John, I tried to write up a history of Profile Import/Synchronization, would love your input on this…
http://spsamer.com/2012/08/16/sharepoint-user-profile-import-synchronization/
[…] SharePoint 2013: Profile Import in SharePoint 2013 – Back to the Future […]
Have you been able to get this to work when mapping thumbnailPhoto attribute to the Picture property. I get the images to import from AD.
…Sorry I was trying to say I can’t get the images to show in Profiles after the import even if I add a mapped property for Picture to thumbnailPhoto.
Any tips for making the picture attribute work, with thumbnailPhoto attribute ??
Help, any luck with allowing me to upload a photo from manage user profiles -> edit user profile.
I get “An unrecoverable error has occurred. Please contact your system administrator.” when I try to do this.
I did a successful ad import in sharepoint2013.
[…] my fellow SharePoint MVP John White has written a good article on new-old, one-way, user profile import from Active Directory to SharePoint, it is well worthy to note that the old, FIM based, read&write user profile import is still […]
ha re
I am trying to use my old Sharepoint 2007 LDAP filter for the AD import on my new Sharepoint 2013 setup. Using (&(objectCategory=Person)(objectClass=User)(!userAccountControl:1.2.840.113556.1.4.803:=2)(mail=*ca)(sn=*)(department=*)(!(!givenName=*))) but it doesn’t seem to be excluding disabled users or service accounts. Any ideas on why an known working LDAP query would take no effect in the SP2013 environment? For what it’s worth the import connection was setup without the LDAP filter initially, I have just come in and am trying to add it. I have run both an incremental and fill synchronization a few times but still the profile exist and I see nothing listed under “profiles excluded from import”.
Thanks
[…] my fellow SharePoint MVP John White has written a good article on new-old, one-way, user profile import from Active Directory to SharePoint, it is well worthy to note that the old, FIM based, read&write user profile import is still […]
When setting up the server like this… before you make any sharepoint settings… should the Forefront Identity Manager Service and the the Forefront Identity Manager Synchronization Service be running? or is SharePoint somehow handling that.
Having a hell of a time getting this figured out on our test 2013 setup. Seems like every time we turn around the FIM services have switched to “Disabled”
I followed the steps described here, but my full sync is not starting. I’m not getting any error message either. Any idea as to why?
I’ve seen this happen before, and it was fixed by a server reboot. I imagine that a Timer reset and/or IISReset would do the trick.